Board Oversight of Risk Management Directors Duties with
Board Oversight of Risk Management Directors Duties with Respect to Risk Oversight By Kimberly Decker & Atul Malhotra ADVANCING EXEMPLARY BOARD LEADERSHIP TM
Kimberly Decker DIRECTORS DUTIES WITH RESPECT TO RISK OVERSIGHT 2
Fiduciary Duties, Generally • Directors stand in a fiduciary relationship to the corporation and owe two primary fiduciary duties to the corporation: – Duty of Care – Duty of Loyalty 3
Business Judgment Rule • Varies by state BUT, in general, the acts of the board, its committees and individual directors are presumed to be in the best interests of the corporation. • It can only be overcome if the plaintiff can show that the directors breached fiduciary duty (i. e. , duty of care and duty of loyalty) – lack good faith or – engage in self-dealing • This is significant protection for directors’ acts • Places burden of proof on the plaintiff to overcome the presumption 4
Duty of Oversight? • The duty of care and the duty of loyalty are the two main fiduciary duties of directors • Delaware (and other states) have created a Duty of Oversight”. Also called “Caremark” duties in Delaware • Fits where attacking the duties of care and loyalty don’t provide relief. • This is a corporate compliance related duty, as interpreted • Failure of this duty opens up directors to personal liability 5
Duty of Oversight. • 1996 - Caremark: directors have an affirmative duty to establish and exercise oversight over some form of internal compliance activity. • Requires a good faith attempt to establish a corporate information and reporting system • Standard of Care is low - no “bad faith” • Subsequent cases demonstrate Director liability for breach of the duty of oversight requires utter failure to implement any reporting system or controls or, if implemented, conscious failure to monitor 6
Duty of Oversight • “Red flags” versus “yellow flags”; No oversight versus flawed oversight. – Failure to meaningfully respond to a troubling, continuing pattern of noncompliance – Knowing approval of a business strategy that specifically incorporates illegal actions – Tolerance of operations that knowingly defy law – “Utter failure” of the information reporting system • Note the “knowledge” references 7
Duty of Oversight - Good News! • The standard of the care (no bad faith) is really low. • “Possibly the most difficult theory in corporation law on which a plaintiff might hope to win a judgment”. 8
Duty of Oversight - Bad News! • Really only applies to shareholder derivative suits. • May be other creative ways to use a different lawsuit platform to impose higher standards. • Higher standards may be expected by federal and state regulators. • Reputational harm to directors and the company even from a “win” (because again, bad faith is a low standard) • Flawed or inattentive oversight may pass a Caremark claim challenge, but could also affect availability of D&O coverage and indemnification protection if there are breaches of common law duties of care and loyalty? 9
Where Does that Leave Us? • You are not likely to be successfully sued for breach of the Duty of Oversight…BUT • There are lots of other reasons to raise the standard above “no bad faith” • Duty of Oversight is different than the Business Judgment Rule – Avoidance/conscious disregard vs. action (whether or not it was the “right” action) 10
Navigating the Duty of Oversight • Is there a compliance mechanism in place? • Ability to appreciate the types of information and activity that might be a “red flag”. – Regulatory climate for your company – What IS the internal compliance program and how is it supposed to work? – Can you identify patterns of conduct that may rise to the level of creating “actual knowledge” • Whistle blower reports • Letters to the board or audit committee • Numerous and related civil claims • Understanding the extent to which corporate ethics are embedded across all levels of employees 11
Atul Malhotra DIRECTORS DUTIES WITH RESPECT TO RISK OVERSIGHT 12
Legal Statement The views presented in this material and during the course of this presentation are those of Mr. Malhotra only and not necessarily those of his current employer, Fulton Financial Corporation, its officers or Directors, nor any prior employer or organization with which he is or has been affiliated. The information contained herein is of a general nature and based on authorities that are subject to change. A good faith effort has been made to attribute ownership for materials sourced from other publications and authors. This presentation does not constitute legal, corporate governance or risk management advice or service. Applicability of the information to specific situations should be determined through consultation with a professional adviser. 13
The risk management imperative – why do we need to do it? According to the World Economic Forum, the volume and velocity of threats to enterprise value is growing exponentially. Identifying, assessing, prioritizing, managing and monitoring these threats in a structured and disciplined manner is the practice of risk management. Key concept: Supply chain disruption / counterparty concentration risk High performer / key leader turnover Social media brand disruption / trolling / activist consumer groups Marketplace disruption / strategic misalignment Data breach/ cybersecurity incident Enterprise Risk Management Regulatory / Legal actions Compliance violations Systemic operational inefficiency 1 – Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management – Integrated Framework (2004). 14 Enterprise Risk Management: a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of an entity’s objectives. 1
How is risk management accomplished? To get started the entity must establish risk accountabilities. It starts at the top and must cascade throughout the organization. Day-to-day management activities are informed by the organization’s risk appetite and influenced by the risk culture, even if these are not formally established, understood or managed. 1. Assign Roles and Responsibilities 2. Establish a Framework Board of Directors / Board Committees Risk culture Key concept: Risk Appetite: is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so. 1 3. Implement & Report Product, Service, Process Business Unit Division Legal Entity C-Suite Identify Risks Policies, Organizational Structure, Objective Setting and Incentives Assess Risk appetite Risk management system Quantify First line of defense Second line of defense Third line of defense Frontline units, business units, or functions that create risk Independent risk management, loan review, compliance officer, chief credit officer Internal audit, including independent assurance Office of the Comptroller of the Currency Risk Governance Framework, Comptroller Safety and Soundness Handbook , Corporate and Risk Governance, July 2016 1 – COSO Research Paper – ERM – Understanding and Communicating Risk Appetite (2012) 15 Monitor Transfer Mitigate
What is a risk appetite statement? It is widely understood that entities will need to take some risk in order to achieve their stated goals – the key is to understand how much risk the entity is willing and able to accept? A risk appetite statement is a formal board approved statement of how much risk the entity is willing to accept. At minimum it includes the following key elements: • Link to the entity’s mission, vision, strategy and objectives (i. e. tied to the value creation activities of the entity) Optimal Risk-Taking – Where is the Entity’s Appetite? Insufficient Risk-Taking Optimal Risk-Taking Excessive Risk-Taking Too good to be true? Should we be doing this? • Stated precisely enough to be able to be communicated across the organization and effectively monitored • Contains both quantitative and qualitative measures of risk to facilitate both objective monitoring and subjective identification of emerging risks (i. e. knowns, known unknowns and unknowns) Expected Enterprise Value • Describe risks that exist at an individual level and in the aggregate as well, hence require measurement and monitoring to provide such perspective Is this normal? Risk Level 16 • Define the entity’s view of risk and any broad categories that it uses to measure risk • Define the actions to be taken when risk measures are outside of the established tolerances defined in the risk appetite statement.
A bit about frameworks There are several risk management frameworks available to choose from and some specialized by domain of risk as well. An effective risk management program will adopt a framework that meets the needs of the organization. 17
Making it all work together 1. Define and Organize Risks • • Ensure management has created an enterprise-wide taxonomy of risks that considers all risks applicable to the entity’s activities Ensure management has organized the risks in a manner that allow the entity to “roll-up” risk information in a meaningful and actionable way Ensure management is able to “drilldown” where appropriate Ensure the risk inventory stays current and is complete – has management purchased the list or adopted an industry accepted inventory? Strategic 1 Risk Financial 2 Risk Operational 3 Risk Compliance 4 Risk Alignment Risk Financial Reporting Risk (ICFR/ SOX) People Risk Legal Risk 5 Execution Risk Tax Position Risk Process Execution Risk Regulatory Risk 6 Implication Risk Balance Sheet / Asset Liability Management Risk Information Technology Risk Reputational Risk Credit Risk Cyber. Security Risk Investment Risk Physical Security Risk Market / Price Risk Model Risk Liquidity /Cash Flow Risk Business Continuity Risk Fraud Risk Vendor Risk 18 Tax Compliance 7 Risk
Making it all work together 2. Establish Ownership & Accountability Board of Directors Provide oversight and establish risk governance through policy Set the tone for risk culture Approve risk appetite statement and risk framework Monitor risks through established regular updates Provide independent, informed credible challenge of management’s assumptions, biases and opinions of risk Receive assurance of risk management effectiveness from internal audit • • • 1 CEO & Executive Management Team • Set strategy and organization objectives • Monitor risks associated with strategy • Provide oversight and monitoring of enterprise-wide risks CFO & Accounting / Finance Team 2 7 • Responsible for financial risk management and related compliance risk management • Acts as a corporate control function for financial risks, advising and supporting business line financial decisions 3 6 19 4 CCO & Corporate Compliance Team • Provides oversight and monitoring of business unit and product compliance • Provides regulatory compliance subject matter expertise and coordinates input from other specialists (e. g. Legal Counsel) General Counsel 5 • Manages and monitors legal risk • Provides expertise in regulatory compliance matters where necessary Business Unit / Division Leaders • • Owns the risks applicable to their business unit Responsible for risk mitigation and control decisions of all risks applicable to their business Subject matter expertise provided by specialists (e. g. CRO/ CAE, CHRO, CISO, CCO, Corporate Security etc. ) Specific risks may also be owned by specialists as well (e. g. People Risk owned by CHRO, Cyber-Security Risk owned by CISO).
Making it all work together 3. Implement Programs Risk assessments should be conducted periodically to ensure applicable risks are identified and measured timely. Risk assessments will likely be done on specific categories of risk and assessment criteria will include monetary and non-monetary considerations as well as qualitative factors Assessed risks should be quantified through measurable metrics, also known as Key Risk Indicators (KRIs) using a standardized scale. The scale should align to the risk appetite statement for easy reporting Formalized internal control programs, including periodic testing and monitoring for effectiveness mitigate inherent risks Insurance, asset securitizations, receivable factoring and similar tactics may be used to transfer some remaining risks Remaining risks are then monitored and reported upon periodically. The level of reporting depends upon the risk and the recipient’s responsibility. Boards should typically receive summary level actionable intelligence along with management’s action plans where necessary 20
A Board perspective Key Takeaways • Understand the entity’s risk philosophy and concur with the entity’s risk appetite. • Know the extent to which management has established effective enterprise risk management of the organization. • • 21 Review the entity’s portfolio of risk and consider it against the entity’s risk appetite. Be apprised of the most significant risks and whether management is responding appropriately. Key Questions to Consider • Does the Board have the right expertise to provide risk management oversight? • A diverse and experienced set of independent directors can offer great value in a risk management context. Diverse experiences lend themselves to challenge the status quo • Consideration should be given to subject matter specialists among the independent directors (e. g. financial expert on audit committees pursuant to SEC rules implementing SOX § 407, cybersecurity expertise on Boards with such risk exposure) • Is the Board structured to provide sufficient time for risk management oversight? • An audit committee of the board traditionally provides some risk management oversight. However large and complex entities should consider whether the audit committee is able to provide sufficient oversight to non-financial risks (other committees such as compensation, nominating / governance etc. also provide specific risk oversight) • Larger organizations are now opting for a specialized committee to focus on risk management more broadly, while allowing traditional Board committees to focus on specific risks. Many regulatory bodies around the world have demanded a risk committee of the board be established to provide sufficient oversight of risk management (e. g. Reg YY implementing the enhanced prudential standards of the Dodd-Frank Act) • Is the Board holding management accountable for achieving its stated strategic objectives? • Consideration should be given to long term enterprise value. Foregoing longer term value for short term gain often results in catastrophic destruction of capital and value • The Board should regularly challenge management’s assumptions, biases and opinions of risk inherent within its business operations and strategic decisions • Is the Board sufficiently independent? • Is the Board using external experts and the independent Internal Audit function to gain assurance over the risk management practices and information?
Red flags for independent directors “There is too much risk with that idea” “There is no risk with this strategy” “We can’t possibly measure or assess that risk” Strategy discussions do not include a conversation about risk Risk management decides which strategies to pursue “We’ve never seen that happen” Risk management dashboards are all green Risk Management = A Compliance or Audit Activity Reputational risk is not a consideration “The sky is the limit” 22
Some additional resources In addition to industry specific trade groups and subject matter specialists I have found the following organizations provide leading insights and often publish practical and easy to understand perspectives on various risk management topics. 23
Q&A 24
Speaker Bio Atul Malhotra, CRMA, CRISC, CISSP, CISA Fulton Financial Corporation - SVP, Managing Director of Enterprise Risk Management Mr. Malhotra is a seasoned risk management executive with over 15 years of corporate governance, risk management and regulatory strategy experience. In his current role, at a diversified mid-size bank holding company in the US mid-Atlantic region, Mr. Malhotra is responsible for oversight and delivery of the organization’s enterprise risk management program. The program includes a multi-disciplinary approach to risk identification, assessment, monitoring and reporting across all domains of risk inherent in the business. In the past Mr. Malhotra served as a regulatory and risk strategy consultant for various publicly traded companies including large systemically important financial institutions with operations in the US and elsewhere. Mr. Malhotra has considerable operational and related technology risk management and benchmarking experience. Mr. Malhotra’s prior experience ranges from serving as an auditor charged with the implementation of risk and control assessments and attestation programs to satisfy the Sarbanes-Oxley Act of 2002 to the development and implementation of early warning measures and operational resiliency protocols to demonstrate readiness of a large bank “living will. ” Mr. Malhotra has extensive experience with helping companies implement pragmatic solutions to their most complex risk management problems. Mr. Malhotra has been a member of the Deloitte Financial Services Industry Fellowship program. He currently serves as a Director for the Philadelphia Chapter of ISACA and was previously on the executive committee of the chapter’s Board of Directors. He is also an active member of the FEI, RMA, GARP, the IIA, ISC 2 and various ABA risk management working groups. 25
- Slides: 25